Building adversarial training data infrastructure for Security LLMs. Covering SQL Injection, XSS, RCE, Buffer Overflow, Path Traversal, Comprehensive Threat Detection and 8 major security datasets, with five-tuple structured annotation and full MITRE ATT&CK mapping.
Generative AI is both an attack weapon and a defense revolution. From LLM-driven automated vulnerability discovery to the rise of Security LLMs, from adversarial machine learning to AI red teaming, AI is reshaping the cybersecurity landscape.
Microsoft Security Copilot, Google Sec-PaLM, Palo Alto Cortex XSIAM and other specialized security large models have successively launched. Based on GPT-4/Claude architectures, they match or exceed human expert levels in threat intelligence, SOC alert triage, and attack chain reasoning. In the Security LLM era, high-quality adversarial data becomes the core barrier.
Transformer and GNN-based APT attack detection systems achieve over 95% accuracy on public benchmarks like DARPA TC and CIC-APT, significantly surpassing traditional rule engines. Multi-stage attack chain recognition, TTP reasoning, and anomaly behavior baseline modeling have become research hotspots, urgently requiring large-scale high-quality APT samples.
OpenAI, Anthropic, and Google DeepMind have established professional AI red teams to conduct adversarial testing on Prompt Injection, Jailbreak, Data Poisoning, Model Extraction and other attacks. NIST AI RMF and OWASP LLM Top 10 list adversarial machine learning as a core AI security issue.
FBI/IC3 annual reports show that generative AI has increased phishing email success rates by 300%, with Deepfake voice scams causing over $500 million in losses. Black-market LLMs like WormGPT and FraudGPT circulate on the dark web, and AI-driven automated vulnerability discovery and adaptive attack orchestration are reshaping the threat landscape.
The MITRE ATT&CK framework has been adopted by over 80% of SOC teams worldwide, covering 14 tactics and 200+ techniques. Tools like ATT&CK Navigator, ATT&CK Eval, and CTRAC drive the industrialization of ATT&CK. Security LLMs must deeply understand ATT&CK to perform effective TTP reasoning and threat hunting.
Gartner predicts the AI-driven cybersecurity market will exceed $215 billion by 2030, with a compound annual growth rate of 22.8%. Security operations automation, AI threat intelligence, and zero-trust AI will become the three core tracks. High-quality adversarial data is the core strategic resource for AI security.
From web attacks to system vulnerabilities, from single-point detection to comprehensive threats, from ATT&CK training to detection capability gaps. Five-tuple structured annotation with full MITRE ATT&CK framework mapping.
1,000~30,000 five-tuple entries, covering 7 subtypes including union query, blind injection, error-based, and time-based injection. Supports MySQL/PostgreSQL/MSSQL/Oracle databases. ATT&CK T1190 mapped, includes XML detection rules + PCAP traffic + HTTP reconstructed text + ground truth labels.
1,000~30,000 five-tuple entries, covering 5 subtypes: reflected, stored, DOM-based, mXSS, etc. Includes bypass technique annotations (encoding bypass, case mixing, tag splitting, event mutation). ATT&CK T1189 mapped, covers HTML/JS/CSS/URL multiple contexts.
800~20,000 five-tuple entries, covering 5 RCE types including command injection, deserialization, and SSTI. Includes Java/PHP/Python deserialization Gadget Chain data, supporting full-chain detection with ysoserial. ATT&CK T1059/T1203 mapped, covers command injection → privilege escalation → persistence → lateral movement complete attack chain.
500~10,000 five-tuple entries, covering 4 system-level vulnerability types: stack overflow, heap overflow, format string, and integer overflow. ATT&CK T1203 mapped, designed for binary security AI training, includes the complete loop from rule definition to validation evaluation, supporting CGC training corpus generation.
800~20,000 five-tuple entries, covering 4 attack types: directory traversal, LFI, RFI, and path normalization bypass. Includes rich encoding bypass payloads (URL/Double/Unicode/UTF-8 overlong/null byte/path truncation). ATT&CK T1083/T1005 mapped.
2,000~50,000 multi-type threat five-tuple entries, covering 6 categories: Web/Network/Host/Cloud/API/0day. Complete ATT&CK mapping + kill chain stage annotation. Serves as the complete corpus foundation for Security LLM pre-training, enabling "One Model for All Threats."
1,000~20,000 ATT&CK offensive/defensive skill training entries, covering all 14 tactics and 200+ techniques. Each entry includes ATT&CK technique metadata, attack description, detection method, mitigation measures, process examples, and PCAP correlation. Dedicated corpus for Security LLM pre-training/SFT, covering the full scenario from knowledge injection to practical training.
500~1,500 high-value detection gap analysis + TTP reasoning chains with log data source mapping. Covers the complete pipeline from gap identification to rule generation, with five-tuple correlation structure. Dedicated for detection engineering automation training, supporting intelligent SIEM rule generation and red-blue team simulation.
All security datasets adopt a unified five-tuple (actually six-tuple) correlation structure, covering the complete loop from rule definition to traffic validation, providing a structured training foundation for Security LLMs.
Unique rule ID, ATT&CK technique ID mapping, attack category, severity level, CVE correlation and other metadata identifiers
Structured XML format detection rule definition, including regex features, match conditions, and action types, directly consumable by WAF/IDS/SIEM
Real attack payload samples, including bypass techniques, encoding variants, Gadget Chains, etc., covering mainstream attack methods and variants
Complete HTTP request/response reconstructed text, including Header, Body, Cookie, URL and all fields, easy for NLP models to understand
Raw PCAP capture data, preserving complete network layer information (TCP/IP, TLS handshake, timing, etc.), supporting traffic analysis model training
Standard answers annotated by human experts (attack/normal, type, severity), used for model SFT/RLHF training and evaluation
Langhui security datasets comprehensively map the MITRE ATT&CK framework, covering the complete attack kill chain from initial access to impact. Green cells indicate covered technique areas.
Each entry uses a five-tuple structured format, with comprehensive annotation from ATT&CK metadata to PCAP traffic.
{
"rule_id": "SQLI-2026-UNION-0001",
"attack_type": "SQL Injection",
"sub_type": "Union-based",
"mitre_attack": "T1190",
"severity": "CRITICAL",
"xml_rule": "UNION.+SELECT ",
"payload": "1' UNION SELECT username,password FROM users--",
"http_request": "GET /login?id=1'%20UNION%20SELECT...",
"pcap_ref": "pcap/sqli-union-0001.pcap",
"label": "malicious",
"db_type": "MySQL"
}From WAF rule generation to Security LLM training, from SOC automation to red-blue team exercises, Langhui security datasets cover every critical aspect of AI security.
The comprehensive threat detection dataset serves as the complete corpus foundation for Security LLMs, covering 6 categories: Web/Network/Host/Cloud/API/0day, enabling "One Model for All Threats." Combined with the ATT&CK training dataset for SFT, it injects TTP reasoning capabilities.
XML detection rules from SQL injection/XSS/RCE/path traversal datasets can be directly consumed by WAF. Train LLMs to automatically generate detection rules for new attacks, increasing coverage by 40%+ and reducing false positives by 60%+.
Train SOC AI analysts using ATT&CK-based multi-attack mixed datasets for automated alert triage, threat hunting, and attack chain reasoning. Detection gap datasets help identify SIEM blind spots and intelligently generate complementary rules.
ATT&CK training datasets support red team TTP simulation and blue team detection validation, automatically generating attack playbooks and detection rules. Detection gap datasets accurately identify defensive blind spots and quantify red-blue team coverage.
RCE/buffer overflow datasets train code audit models to automatically identify deserialization Gadget Chains, stack overflows, format string vulnerabilities, and more, supporting Java/PHP/Python/C/C++ multi-language code.
ATT&CK training datasets give LLMs deep understanding of TTPs (Tactics/Techniques/Procedures), enabling reasoning from a single alert to a complete attack chain, correlating threat intelligence, and predicting attacker's next moves.
The DataAssetsAPI platform by Changsha Langhui Information Technology Co., Ltd. is dedicated to providing security teams and AI enterprises with high-quality, compliant adversarial data infrastructure. From SQL injection to comprehensive threats, from ATT&CK training to detection capability gaps, we build a complete Security LLM training loop.